The latest articles on DEV Community by Karthik (@karthikeyantv). https://dev.to/karthikeyantv https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F211357%2F6aff08cd-5754-4a38-a5d4-902904e63013.jpeg https://dev.to/karthikeyantv en Karthik Sat, 15 Jan 2022 16:15:35 +0000 https://dev.to/karthikeyantv/how-the-signed-url-works-2dbm https://dev.to/karthikeyantv/how-the-signed-url-works-2dbm <h3> What is a Signed URL? </h3> <p>A signed URL temporarily provides access to a resource. Signed URLs contain user/authentication information in their query string, allowing users without credentials to perform specific actions on a resource. You can add more information in the query string and these values cannot be changed on the client-side.</p> <h3> Signed URL basic workflow: </h3> <ol> <li>Create the URL you want to sign. Mostly the URL will be in the below format. &gt; https://{your_domain}/{path}?{query_parameter}</li> <li>Sign the query parameters with a secret key using the <strong>HMACSHA256</strong> hashing algorithm and you will get a hash code in this process.</li> <li>Append the hash code in your URL like below, &gt; https://{your_domain}/{path}?{query_parameter}&amp;signature={hash_code}</li> <li>When you receive the request in the server with a signature, you need to do the same hashing with the same secret on the request URL query parameters without the signature in the query parameter.</li> <li>Compare the output hash code with the hash code that you get in the request query parameter.</li> <li>You will get a different hash code if the URL is altered on the client-side.</li> </ol> <h3> How to sign a URL? (C#) </h3> <p>Here is the code snippet to sign the URL in C#. The sign URL method requires a message and a secret code to generate the hash code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">class</span> <span class="nc">Program</span> <span class="p">{</span> <span class="k">static</span> <span class="k">void</span> <span class="nf">Main</span><span class="p">(</span><span class="kt">string</span><span class="p">[]</span> <span class="n">args</span><span class="p">)</span> <span class="p">{</span> <span class="kt">string</span> <span class="n">secretCode</span> <span class="p">=</span> <span class="s">"9tGaq1zidmxJN8Pid6IMYhHFqAUwNbu"</span><span class="p">;</span> <span class="c1">// secret code</span> <span class="kt">var</span> <span class="n">url</span> <span class="p">=</span> <span class="s">"https://example.com"</span><span class="p">;</span> <span class="c1">// Variable declaration to form the signature URL </span> <span class="kt">var</span> <span class="n">query</span> <span class="p">=</span> <span class="s">"?page=4&amp;access=rwd&amp;"</span><span class="p">;</span> <span class="c1">// Add queries that you need.</span> <span class="kt">var</span> <span class="n">nonce</span> <span class="p">=</span> <span class="n">Guid</span><span class="p">.</span><span class="nf">NewGuid</span><span class="p">().</span><span class="nf">ToString</span><span class="p">();</span> <span class="c1">// random string - To prevent replay attacks.</span> <span class="kt">double</span> <span class="n">timeStamp</span> <span class="p">=</span> <span class="nf">DateTimeToUnixTimeStamp</span><span class="p">(</span><span class="n">DateTime</span><span class="p">.</span><span class="n">UtcNow</span><span class="p">);</span> <span class="c1">// current time as UNIX time stamp</span> <span class="kt">var</span> <span class="n">expirationTime</span> <span class="p">=</span> <span class="s">"100"</span><span class="p">;</span> <span class="c1">// alive time of the token - This can be used to make the URL expire.</span> <span class="kt">var</span> <span class="n">userId</span> <span class="p">=</span> <span class="m">1</span><span class="p">;</span> <span class="c1">// User ID or user email</span> <span class="kt">string</span> <span class="n">queryParameter</span> <span class="p">=</span> <span class="n">query</span> <span class="p">+</span> <span class="s">"nonce="</span> <span class="p">+</span> <span class="n">nonce</span> <span class="p">+</span> <span class="s">"&amp;user_id="</span> <span class="p">+</span> <span class="n">userId</span> <span class="p">+</span> <span class="s">"&amp;timestamp="</span> <span class="p">+</span> <span class="n">timeStamp</span> <span class="p">+</span> <span class="s">"&amp;expirationtime="</span> <span class="p">+</span> <span class="n">expirationTime</span><span class="p">;</span> <span class="kt">string</span> <span class="n">signature</span> <span class="p">=</span> <span class="nf">SignURL</span><span class="p">(</span><span class="n">queryParameter</span><span class="p">.</span><span class="nf">ToLower</span><span class="p">(),</span> <span class="n">secretCode</span><span class="p">);</span> <span class="kt">string</span> <span class="n">queryWithSignature</span> <span class="p">=</span> <span class="n">queryParameter</span><span class="p">.</span><span class="nf">ToLower</span><span class="p">()</span> <span class="p">+</span> <span class="s">"&amp;signature="</span> <span class="p">+</span> <span class="n">signature</span><span class="p">;</span> <span class="kt">var</span> <span class="n">signedUrl</span> <span class="p">=</span> <span class="n">url</span> <span class="p">+</span> <span class="n">queryWithSignature</span><span class="p">;</span> <span class="p">}</span> <span class="k">static</span> <span class="kt">string</span> <span class="nf">SignURL</span><span class="p">(</span><span class="kt">string</span> <span class="n">message</span><span class="p">,</span> <span class="kt">string</span> <span class="n">secretcode</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">encoding</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">UTF8Encoding</span><span class="p">();</span> <span class="kt">var</span> <span class="n">keyBytes</span> <span class="p">=</span> <span class="n">encoding</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">secretcode</span><span class="p">);</span> <span class="kt">var</span> <span class="n">messageBytes</span> <span class="p">=</span> <span class="n">encoding</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">message</span><span class="p">);</span> <span class="k">using</span> <span class="p">(</span><span class="kt">var</span> <span class="n">hmacsha1</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">HMACSHA256</span><span class="p">(</span><span class="n">keyBytes</span><span class="p">))</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">hashMessage</span> <span class="p">=</span> <span class="n">hmacsha1</span><span class="p">.</span><span class="nf">ComputeHash</span><span class="p">(</span><span class="n">messageBytes</span><span class="p">);</span> <span class="k">return</span> <span class="n">Convert</span><span class="p">.</span><span class="nf">ToBase64String</span><span class="p">(</span><span class="n">hashMessage</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">static</span> <span class="kt">double</span> <span class="nf">DateTimeToUnixTimeStamp</span><span class="p">(</span><span class="n">DateTime</span> <span class="n">dateTime</span><span class="p">)</span> <span class="p">{</span> <span class="n">DateTime</span> <span class="n">unixStart</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">DateTime</span><span class="p">(</span><span class="m">1970</span><span class="p">,</span> <span class="m">1</span><span class="p">,</span> <span class="m">1</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="n">System</span><span class="p">.</span><span class="n">DateTimeKind</span><span class="p">.</span><span class="n">Utc</span><span class="p">);</span> <span class="kt">long</span> <span class="n">unixTimeStampInTicks</span> <span class="p">=</span> <span class="p">(</span><span class="n">dateTime</span><span class="p">.</span><span class="nf">ToUniversalTime</span><span class="p">()</span> <span class="p">-</span> <span class="n">unixStart</span><span class="p">).</span><span class="n">Ticks</span><span class="p">;</span> <span class="k">return</span> <span class="n">unixTimeStampInTicks</span> <span class="p">/</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="n">TicksPerSecond</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We should add some additional query parameters for security and for URL expiration.</p> <ul> <li> <strong>nonce</strong> - It's a random string to prevent the replay attack.</li> <li> <strong>timeStamp</strong> - It helps you to calculate the URL expiry. It's advisable to use a UNIX timestamp to avoid confusion in the date format.</li> <li> <strong>expirationTime</strong> - The lifespan of the URL.</li> </ul> <h3> How to verify the Signed URL? </h3> <p>Here is the code snippet to verify the signed URL,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="kt">string</span> <span class="nf">SignURL</span><span class="p">(</span><span class="kt">string</span> <span class="n">message</span><span class="p">,</span> <span class="kt">string</span> <span class="n">secret</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">encoding</span> <span class="p">=</span> <span class="k">new</span> <span class="n">System</span><span class="p">.</span><span class="n">Text</span><span class="p">.</span><span class="nf">UTF8Encoding</span><span class="p">();</span> <span class="kt">var</span> <span class="n">keyBytes</span> <span class="p">=</span> <span class="n">encoding</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">secret</span><span class="p">);</span> <span class="kt">var</span> <span class="n">messageBytes</span> <span class="p">=</span> <span class="n">encoding</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">message</span><span class="p">);</span> <span class="k">using</span> <span class="p">(</span><span class="kt">var</span> <span class="n">hmacsha1</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">HMACSHA256</span><span class="p">(</span><span class="n">keyBytes</span><span class="p">))</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">hashMessage</span> <span class="p">=</span> <span class="n">hmacsha1</span><span class="p">.</span><span class="nf">ComputeHash</span><span class="p">(</span><span class="n">messageBytes</span><span class="p">);</span> <span class="k">return</span> <span class="n">Convert</span><span class="p">.</span><span class="nf">ToBase64String</span><span class="p">(</span><span class="n">hashMessage</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">bool</span> <span class="nf">SignatureValidation</span><span class="p">(</span><span class="kt">string</span> <span class="n">query</span><span class="p">,</span> <span class="kt">string</span> <span class="n">secret</span><span class="p">,</span> <span class="kt">string</span> <span class="n">signature</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">SignURL</span><span class="p">(</span><span class="n">HttpUtility</span><span class="p">.</span><span class="nf">UrlDecode</span><span class="p">(</span><span class="n">query</span><span class="p">),</span> <span class="n">secret</span><span class="p">).</span><span class="nf">ToString</span><span class="p">().</span><span class="nf">Equals</span><span class="p">(</span><span class="n">signature</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The above snippet has only the signature validation and it validates only whether the URL query parameter is altered or not.</p> <p>To check the URL expiry, you could use the parameters (expirationTime, timeStamp) that we have added.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">isValidSignatureKey</span> <span class="p">=</span> <span class="nf">SignatureValidation</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="n">secretCode</span><span class="p">,</span> <span class="n">signature</span><span class="p">);</span> <span class="kt">var</span> <span class="n">expireTime</span> <span class="p">=</span> <span class="n">Convert</span><span class="p">.</span><span class="nf">ToInt32</span><span class="p">(</span><span class="n">filterContext</span><span class="p">.</span><span class="n">HttpContext</span><span class="p">.</span><span class="n">Request</span><span class="p">.</span><span class="n">Query</span><span class="p">[</span><span class="s">"expiretime"</span><span class="p">]);</span> <span class="n">DateTime</span> <span class="n">timeStampDateTime</span> <span class="p">=</span> <span class="n">DateTimeHelper</span><span class="p">.</span><span class="nf">UnixTimeStampToDateTime</span><span class="p">(</span><span class="n">Convert</span><span class="p">.</span><span class="nf">ToDouble</span><span class="p">(</span><span class="n">filterContext</span><span class="p">.</span><span class="n">HttpContext</span><span class="p">.</span><span class="n">Request</span><span class="p">.</span><span class="n">Query</span><span class="p">[</span><span class="s">"timestamp"</span><span class="p">]));</span> <span class="kt">bool</span> <span class="n">urlExpiryTime</span> <span class="p">=</span> <span class="n">DateTime</span><span class="p">.</span><span class="n">UtcNow</span> <span class="p">&gt;</span> <span class="n">timeStampDateTime</span> <span class="p">?</span> <span class="n">DateTime</span><span class="p">.</span><span class="n">UtcNow</span> <span class="p">-</span> <span class="n">timeStampDateTime</span> <span class="p">&lt;=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromSeconds</span><span class="p">(</span><span class="n">expireTime</span><span class="p">)</span> <span class="p">:</span> <span class="k">false</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="n">isValidSignatureKey</span> <span class="p">&amp;&amp;</span> <span class="n">urlExpiryTime</span> <span class="p">&amp;&amp;</span> <span class="p">!</span><span class="kt">string</span><span class="p">.</span><span class="nf">IsNullOrEmpty</span><span class="p">(</span><span class="n">nonce</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="k">true</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> csharp security